Linux – Configuring IPtables to mirror traffic in CentOS

centosiptableslinux

I'm trying to set up iptables to mirror traffic coming into eth2 and send to 10.1.4.4. I have been reading a lot of documentation on this but am having some issues.

Here is the command I am trying to use:

[root@test]# iptables -t mangle -A PREROUTING -i eth2 -j TEE -gateway 10.1.4.4
iptables v1.4.7: multiple -j flags not allowed

I'm currently testing this on CentOS 6.5 and using iptables v1.4.7. Any ideas on why this isn't working?

Best Answer

You have a syntax error, you should use two dashes is gateway option, like this:

iptables -t mangle -A PREROUTING -i eth2 -j TEE --gateway 10.1.4.4

EDIT: on CentOS 6.x iptables userspace is not correctly patched. TEE was added in 1.4.8 and CentOS 6 runs 1.4.7, and I guess you'll need to patch and rebuild RPM. I can check the code and offer a solution if you wish.

EDIT: Problem is a little bit more complicated. I've tried backporting various versions of iptables to get it work, and, it's not only iptables problem per se. It's also kernel problem. CentOS version from EL7 works ok (1.4.21) and some Fedora versions too. So, what you can do is:

# rpm -Uvh http://mirrors.nic.cz/fedora-archive/fedora/linux/releases/14/Everything/x86_64/os/Packages/iptables-1.4.9-1.fc14.x86_64.rpm
Retrieving http://mirrors.nic.cz/fedora-archive/fedora/linux/releases/14/Everything/x86_64/os/Packages/iptables-1.4.9-1.fc14.x86_64.rpm
warning: /var/tmp/rpm-tmp.NDCBn2: Header V3 RSA/SHA256 Signature, key ID 97a1071f: NOKEY
error: Failed dependencies:
    libxtables.so.4()(64bit) is needed by (installed) iproute-2.6.32-32.el6_5.x86_64

Now, if you want to install it you'll need to add --force --nodeps, which will render iproute inoperable because of missing dependency. Then you'll have to extact libxtables.so.4 from original iptables rpm and keep it manually on system to fix iproute :)

And after all of that, you will get the following error:

# /sbin/iptables -t mangle -A PREROUTING -i eth2 -j TEE --gateway 10.1.4.4
iptables: No chain/target/match by that name.

This is a kernel problem - module xt_TEE.ko is missing from standard CentOS/RHEL EL6 kernels:

# rpm -ql kernel | grep xt_TEE

You can work around that by using the ELrepo kernel:

# rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
# rpm -Uvh http://www.elrepo.org/elrepo-release-6-6.el6.elrepo.noarch.rpm
# yum --enablerepo=elrepo-kernel install kernel-lt
# rpm -ql kernel-lt | grep xt_TEE
/lib/modules/3.10.69-1.el6.elrepo.x86_64/kernel/net/netfilter/xt_TEE.ko

To read more about kernel-lt (LongTerm) packages and what are their limitations/benefits, please visit: http://elrepo.org/tiki/kernel-lt.

If you plan on using this in production, please try it and test it thoroughly and try to backport stuff into EL standard kernels and into standard iptables 1.4.7 :)

It can be done but it's a can of worms which I'm not sure you wanna open. Is it worth it?

Related Topic